Skip to main content

Who can use this feature?
Organization Owners, Admins, and other users with the secrets:manage permission

Connect to your AWS Secrets Manager to securely access application secrets, API keys, and sensitive data from anywhere in Superblocks. This guide covers:

Prerequisites

To set up AWS Secrets Manager as a secret store for Superblocks you’ll need:
  • An AWS account with AWS Secrets Manager configured
  • Permission to create new IAM policies for your AWS account

Set up

Create IAM policy

Create an IAM policy to grant Superblocks access to your secrets This policy should be associated with either an IAM user (for Access Key auth) or an IAM role (for Assume Role auth when self-hosting the data plane). Below is an example policy: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret"
      ],
      "Resource": ["arn:aws:secretsmanager:${REGION}:${ACCOUNT_ID}:secret:*"]
    },
    {
      "Effect": "Allow",
      "Action": ["secretsmanager:ListSecrets"],
      "Resource": "*"
    }
  ]
}
We recommend only granting Superblocks access to the minimum set of secret ARN’s your team will use in Superblocks. For added security, create secrets that are prefixed with superblocks/${env}/ to easily identify the secrets used in Superblocks.

Configure secret store

Configure a new secret store in Superblocks:
  1. Go to the Secrets Management page in Superblocks
  2. Click the AWS Secrets Manager tile
  3. Name your secret store integration
  4. If your secrets follow hierarchical naming conventions, specify a Prefix to filter secrets in this store. For example, if Superblocks secrets are all named like superblocks/${env}/secret1, superblocks/${env}/secret2, etc, then superblocks/${env}/ will be the corresponding prefix value.
  5. Specify your AWS Region
  6. Select Auth type
    Paste the Access key ID and Secret access key for the IAM user Superblocks will act on behalf of.
  7. Configure caching rules for this store
  8. Optionally, add more configurations for different environments
  9. Click Create
Your secret store is now configured. Developers can now reference secrets in their backend APIs and integrations.

Caching

If enabled, Superblocks can cache your secrets, reducing calls to your secrets manager and improving API performance when using secrets. Caching can be configured for each of your secret store’s configurations, letting you set different policies based on the environment. To configure caches, go to Secrets Management and click into your secrets store. From here you can:
  • Update the Cache TTL (seconds) to your desired caching interval
  • Clear the cache if you’ve rotated a secrets and need Superblocks to refetch secret values
Manage secret caching
If you’re self-hosting with Hybrid or Cloud-Prem architectures, secrets are cached in-memory by the data plane. For scaled deployments, you’ll need to clear each instance’s cache individually when rotating secrets. To rotate secrets more easily, disable caching first. Then, after updating the secret, re-enable caching.

Using secrets

For details on how to reference secrets in your backend APIs and integrations, see Using secrets.